COVID relief 2.0 could offer some donors a bigger charitable tax deduction
Yes, Virginia, you'll probably pay tax on your Christmas tree

IRS and FBI warn about business cyber scams that target COVID teleworkers

Among the many things COVID-19 has changed, possibly forever, is how and where we do our jobs. The work from home trend also has provided cyber criminals new ways to steal our identities and money — corporate cash, too — using telework security lapses and system flaws.

TGIF!

Yeah, workers still say this. However, there's a little less exultation in the announcement nowadays, what with many of us still working from home due to continuing coronavirus pandemic precautions.

Plus, COVID-19 means our prior welcome weekend happy hours now are via Zoom.

The work from home (WFH) shift also has created new scam and identity theft opportunities.

Now, instead of (or more likely, in addition to) focusing on company computer networks, crooks are going after all of us clicking away at computers in our makeshift home offices.

That's why on this final day of National Tax Security Awareness Week 2020, the fifth annual focus by the Internal Revenue Service and its Security Summit partners on ways to stop or at lease slow tax-related crime, attention is given to ways crooks target tax professionals' businesses and their relocated employees.

"We've made tremendous progress in the past five years, but we still have work to do," said IRS Commissioner Chuck Rettig in this latest alert on potential telework scams. "The coronavirus and the increase in teleworking creates new ways for these sophisticated cybercriminals to scam people out of their money or their sensitive tax and financial information."

FBI warns of new email scamming technique: The IRS isn't the only federal agency concerned about such business-related schemes. The Federal Bureau of Investigation recently issued an alert about cyber criminals taking advantage of email auto-forwarding to increase their chances of success in Business Email Compromise (BEC) attacks.

BEC-business-email-compromise_1536349835_poster2

In usual business email scams, online crooks spoof, or mimic, a legitimate email address. That makes the recipient think it's coming from within the business or from a client. The scammer's message typically is a request for payment, which the crook says can be made via wire transfer or gift card.

As the COVID-19 pandemic prompted a mass shift to telework, it created an associated increase of web-based email applications, notes the FBI. With that change of work procedures, cyber crooks began exploiting a weakness in some systems.

They implement auto-forwarding rules on victims' web-based email clients to conceal their activities. The web-based clients' forwarding rules often do not sync with the desktop client, making it more difficult for corporate cyber security administrators to see and catch the changes.

This leaves the employee and all connected networks vulnerable to cyber criminals, said the FBI in its Nov. 25 Private Industry Notification of how cyber criminals are adjusting to changed work situations during COVID-19.

"Even after a financial institution or law enforcement contact warns a victimized business of a potential BEC, a system audit may not identify the updated email rules if it does not audit both applications, increasing the time a cyber criminal can retain email access and continue BEC activity," said the nation's top law enforcement agency.

Recent, costly BEC: Cyber criminals then capitalize on this reduced visibility to increase their BEC schemes' success rates, which already have been pretty productive for the bad guys. The FBI's Internet Crime Complaint Center (IC3) reported that BEC schemes in 2019 resulted in fraudulent payments of more than $1.7 billion worldwide.

The criminal cost of BEC using auto-forwarding email rules was evident in August. That's when cybercriminals used the technique to attack the recently upgraded web client of a U.S.-based medical equipment company.

After the criminals gained access to the network, they impersonated a known international vendor and ended up stealing $175,000.

In another version of the scam, the IC3 in 2019 saw an increase in the number of business email complaints related to the diversion of payroll funds.

"In this type of scheme, a company's human resources or payroll department receives an email appearing to be from an employee requesting to update their direct deposit information for the current pay period," the FBI said. The requested change then routes the employee’s paycheck to a criminal.

Stopping work-related cyber crime: The FBI's cyber crime experts recommend a variety of ways to reduce the likelihood of these scams. They include:

  • being watchful for last-minute changes in established email account addresses,
  • checking email addresses for slight changes that can make fraudulent addresses appear legitimate,
  • enabling multifactor authentication for all email accounts and
  • prohibiting automatic forwarding of email to external addresses.

Phishing scams still predominant: Recent BEC schemes essentially are a type of phishing, which remains a primary way that crooks try to get cash as well as individuals' personal and financial information.

Phishing holiday season candy cane hook_irs

Phishing emails generally have an urgent message, such as "your account password expired." They direct you to an official-looking link or attachment. But the link may take you to a fake site made to appear like a trusted source, where it requests your username and password.

In other cases, a scam email has a link or attachment that contains malware. It then secretly downloads software that tracks keystrokes and allows thieves to eventually steal the victim's passwords.

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning about increased phishing scam activity.

The IRS often sees thieves posing as potential clients, trying to trick tax pros into opening an embedded link or attachment. Scams involving COVID-19 and the Economic Impact Payments also have been prevalent.

Tax protection suggestions: The IRS and Security Summit also offer what they have described as the Security Six measures to protect against cyber crimes, both in-office and where WFH employees are involved.

They are:

  1. Use anti-virus software and set it for automatic updates to keep your systems secure. This includes all digital products, computers and mobile phones.
  2. Use firewalls. Firewalls help shield computers from outside attacks but cannot protect systems in cases where users accidentally download malware, for example, from phishing email scams.
  3. Use multi-factor authentication to protect all online accounts, especially tax products, cloud software providers, email providers and social media.
  4. Back up sensitive files, especially client data, to secure external sources, such as external hard drive or cloud storage.
  5. Encrypt data. Tax professionals should consider drive encryption products for full-drive encryption. This will encrypt all data.
  6. Use a Virtual Private Network (VPN) product. As more practitioners work remotely during the pandemic, a VPN is critical for secure connections.

A quick note here. These online security recommendations are not just for tax professionals. They can protect individual taxpayers, too.

Importance of virtual private networks: In its final Security Awareness tip this year, the IRS and Security Summit stress the use of VPNs for WFH employees.

A VPN provides a secure, encrypted tunnel to transmit data between a remote user via the internet and the company network. As teleworking or working from home continues during COVID-19, VPNs are critical to protecting and securing internet connections.

Failing to use VPNs can add risks to remote takeovers by cyberthieves, giving criminals access to the tax professional's entire office network simply by accessing an employee's remote internet.

Tax professionals should seek out cybersecurity experts whenever possible to help establish secure in-house and telework systems. You also can search online using the term "Best VPNs" to find a legitimate vendor. Also check out major technology sites, which often provide lists of top services.

The bottom line is that workplace security, whether the work is being done from an office or from employees' homes, always has been critical to protecting tax professionals, their taxpayer clients and Uncle Sam from tax ID theft. The security focus is even more vital during this global medical crisis when more people are in unfamiliar work environments.

Wherever you are, on or off the timeclock, stay safe, stay secure, stay vigilant.

You also might find these items of interest:

 

Coronavirus Caveat & More Information
In 2020, we're all dealing with extraordinary circumstances,
both in our daily lives and when it comes to our taxes.
The COVID-19 pandemic and efforts to reduce its transmission
and protect ourselves and our families means that,
for the most part, we're focusing on just getting through these trying days.

But life as we knew it before the coronavirus will return,
along with our mundane tax matters.
Here's hoping that happens soon!
In the meantime, you can find more on the virus and its effects on our taxes
by clicking Coronavirus (COVID-19) and Taxes.

 

Advertisements

 

 

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)